emresavas

Registered
Oct 20, 2013
1
1
0
cPanel Access Level
Root Administrator
Could someone form cPanel staff explain how you let this happened? Even https://httpupdate.cpanel.net is not working due to CA certificate error. As far as I remember you are a partner of Sectigo. Didn't they contact with you (or vice versa) for this kind of serious update? This is why you shouldn't remove Let's Encrypt from AutoSSL providers in the first place. At least we had a secondary option.

Lot's of things changed after your "effective immediately" update last year.
 
  • Like
Reactions: zhongshan

wintech2003

Well-Known Member
PartnerNOC
Sep 15, 2010
69
19
58
Greece
cPanel Access Level
DataCenter Provider
We're still unable to issue SSLs through AutoSSL, were previously getting the same error like you @PlotHost, but now we see
Code:
The response to the HTTP (Hypertext Transfer Protocol) “GET” request from “https://store.cpanel.net/json-api/ssl/certificate/free/xxxxxx” indicated an error (502, Bad Gateway): <html> <head><title>502 Bad Gateway
and after that:
Code:
WARN (XID zhybnv) The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “https://store.cpanel.net/json-api/ssl/certificate/free/xxxxxx” because of an error: Unexpected end of stream while looking for line
EDIT: It works now.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
There is definitely an issue upstream with Sectigo's CA bundle that we're currently investigating further.

There is a related OpenSSL case and an article from Sectigo that are related to this:

We're currently testing a patch to resolve this and are currently relaying the following:

cPanel is aware of widespread issues affecting new installations, AutoSSL, and EasyApache. This is related to a CA Root certificate expiring, and these issues should be resolved at this time. If you are still seeing expired certificates in the cPanel UI, unexpected SSL behavior on sites, or other SSL-related errors please run AutoSSL for all users to issue updated certificates:https://docs.cpanel.net/whm/ssl-tls/manage-autossl/
This is why you shouldn't remove Let's Encrypt from AutoSSL providers in the first place. At least we had a secondary option.
We didn't remove Let's Encrypt from AutoSSL providers so I'm unsure what you're referencing here.

To add to this if you are having an issue with a certificate issued by cPanel backed by Sectigo and it was issued prior to the last 30 days you should be able to right now run AutoSSL and it will automatically regenerate the cert and resolve the issue.
 
Last edited:

zhongshan

Member
PartnerNOC
Jan 17, 2008
18
2
53
I'm still getting the error:

5:51:45 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.
5:51:46 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.

As far as I know this problem only affects very old browsers, right?
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
I'm still getting the error:

5:51:45 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.
5:51:46 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.

As far as I know this problem only affects very old browsers, right?
I am getting the same thing right now. I have tried multiple times to run for that user and even to run for all users, same result.
 

fidividi

Well-Known Member
Feb 15, 2013
47
0
6
cPanel Access Level
Root Administrator
5:51:45 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.
Same thing here...

We didn't remove Let's Encrypt from AutoSSL providers so I'm unsure what you're referencing here.
Like zhongshan mentioned, I also don't see Let's Encrypt in the options of SSL Vendors, only cPanel (powered by Sectigo).
 

PlotHost

Well-Known Member
Apr 29, 2011
291
15
68
US
cPanel Access Level
Root Administrator
Twitter

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston

rch7

Member
Sep 25, 2017
6
0
1
North America
cPanel Access Level
Root Administrator
The recommended /scripts/autorepair update_sectigo_cabundles shows errors like below when run as root:
Checking *******.com... Updating cabundle for “*******.com”....Can't locate Cpanel/YAML.pm: /root/perl5/lib/perl5/Cpanel/YAML.pm: Permission denied at /usr/local/cpanel/Cpanel/CachedDataStore.pm line 125.
:Permission denied at /usr/local/cpanel/Cpanel/SSLStorage.pm line 1596.
This certificate was already installed on this host. The system updated the Certificate Authority bundle for the current SSL installation..
Done
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
The recommended /scripts/autorepair update_sectigo_cabundles shows errors like below when run as root:
Checking *******.com... Updating cabundle for “*******.com”....Can't locate Cpanel/YAML.pm: /root/perl5/lib/perl5/Cpanel/YAML.pm: Permission denied at /usr/local/cpanel/Cpanel/CachedDataStore.pm line 125.
:Permission denied at /usr/local/cpanel/Cpanel/SSLStorage.pm line 1596.
This certificate was already installed on this host. The system updated the Certificate Authority bundle for the current SSL installation..
Done
@rch7, Do you have any customizations in /root/.bashrc that affect the PATH used? What does the following command show, if anything?
Bash:
egrep '(PATH|PERL)' /root/.bashrc
Edit: If you find PERL5LIB, try to unset that first, then re-execute the autorepair script.
Bash:
unset PERL5LIB
/usr/local/cpanel/scripts/autorepair update_sectigo_cabundles
 
Last edited:
  • Like
Reactions: cPanelLauren

PeteS

Well-Known Member
Jun 8, 2017
195
36
28
Oregon
cPanel Access Level
Root Administrator
There is definitely an issue upstream with Sectigo's CA bundle that we're currently investigating further.

. . .

We're currently testing a patch to resolve this and are currently relaying the following: cPanel is aware of widespread issues affecting new installations, AutoSSL, and EasyApache. This is related to a CA Root certificate expiring, and these issues should be resolved at this time. If you are still seeing expired certificates in the cPanel UI, unexpected SSL behavior on sites, or other SSL-related errors please run AutoSSL for all users to issue updated certificates: https://docs.cpanel.net/whm/ssl-tls/manage-autossl/
So, are you saying that all cPanel servers should have this resolved but now? ("This is related to a CA Root certificate expiring, and these issues should be resolved at this time.") I see no issues on my server's performance (in modern browsers), nor with AutoSSL, nor errors reported when running AutoSSL for all users, but I did notice when FTPS started to fail connections if the client didn't like the certificate chain having an expired cert in it. I can work around that, but isn't the issue of the expired cert in the chain still present? ( https://whatsmychaincert.com/?cpanel.net )

If so, would the solution be to change the cert chain on the server, or are we awaiting an upstream fix to resolve this?

If it is something we can do, where would it be done? (Home »Service Configuration »Manage Service SSL Certificates, Home »SSL/TLS »SSL Storage Manager, or ???)

Please give us clear advice as to whether and how we should take action or wait for an upstream solution.

-Pete
 

vikins

Well-Known Member
Oct 3, 2006
120
1
168
There is a related OpenSSL case and an article from Sectigo that are related to this:
We are seeing issues related to on-server applications trying to send mail and being unable to connect with the mail server "error establishing ssl connection: certificate verify failed". All of the mitigation suggestions have already been tried. This doesn't appear to be an AutoSSL issue at this point, it is an OpenSSL issue.
 

Attachments

PeteS

Well-Known Member
Jun 8, 2017
195
36
28
Oregon
cPanel Access Level
Root Administrator
We are seeing issues related to on-server applications trying to send mail and being unable to connect with the mail server "error establishing ssl connection: certificate verify failed". All of the mitigation suggestions have already been tried. This doesn't appear to be an AutoSSL issue at this point, it is an OpenSSL issue.
I configure email to requires SSL for email send/receive, and have not seen a problem using Thunderbird, or iPhone (IMAP connection), nor have any users reported an issue (most use Outlook or Thunderbird). I would assume it's related to how the email client reacts to the expired cert.

What client are you seeing issues with?

-Pete